Stomped_PECompilation_Timerstamp_IntTheFuture is not supicious

govert commented 2 years ago

I've recently run to this indicator: https://github.com/ditekshen/detection/blob/25055fe48da0057b064a59615662fba7f8d3718b/yara/indicator_suspicious.yar#L1045

The check is not (or no longer) an appropriate one. The indicator is expected for PE files compiled with recent Windows 10 SDKs. See this discussion: https://devblogs.microsoft.com/oldnewthing/20180103-00/?p=97705

One of the fields in the Portable Executable (PE) header is called TimeDateStamp. It’s a 32-bit value representing the time the file was created, in the form of seconds since January 1, 1970 UTC. But starting in Windows 10, those timestamps are all nonsense.

MistressPlague commented 2 years ago

Struggling with my software being detected due to this too. Can this be solved please?

ditekshen commented 2 years ago

Thank you. It will be resolved soon. Additional context: https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/

ditekshen commented 2 years ago

Fixed in https://github.com/ditekshen/detection/commit/0930675fa1aa90675e11f33c7d2507a8dde24451.

MistressPlague commented 2 years ago

Thank you!

ditekshen / detection

Stomped_PECompilation_Timerstamp_IntTheFuture is not supicious #2